|
Sunday, 26 June 2005 |
W32.Mytob.FX@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
Type: Worm
Infection Length: 67,584 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once W32.Mytob.FX@mm is executed, it performs the following actions:
Copies itself as the following:
%System% askgmrr.exe
C:mypic003.scr
C:mypic004.scr
C:mypic005.scr
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Creates the file C:mngr32.exe (Detected as W32.Mytob.L@mm.)
Adds the value:
"WINTASK32" = "taskgmrr.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
so that it runs every time Windows starts.
Note: The worm continually recreates these registry keys if they are deleted.
Creates the mutex "H-E-L-L-B-O-T-32" so that only one instance of the worm is run on the compromised computer.
Gathers email addresses from the Windows Address Book and from the following locations:
%Windir%Temporary Internet Files
%UserProfile%Local SettingsTemporary Internet Files
%System%
Note:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings[Current User] (Windows NT/2000/XP).
The worm gathers email addresses from files with the following extensions on all local drives from C to Y:
.adb*
.asp*
.dbx*
.htm*
.php*
.pl
.sht*
.tbb*
.txt
.wab*
The worm does not send itself to email addresses that contain any of the following strings:
abuse
accoun
acketst
admin
anyone
arin.
avp
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
help
info
linux
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
unix
webmaster
you
your
The worm does not send itself to email addresses that contain any of the following domain names:
.edu
.gov
.mil
arin.
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
icrosoft
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
tgers.ed
www
The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following:
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
with one of the following domains:
aol.com
cia.gov
fbi.gov
hotmail.com
juno.com
msn.com
yahoo.com
Note: The worm may also spoof an address from one of those found on the computer.
Subject:
One of the following:
hello
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Server Report
Status
[BLANK]
[RANDOM CHARACTERS]
Message:
One of the following:
[RANDOM CHARACTERS]
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
Attachment:
One of the following:
body
data
doc
document
file
message
readme
test
text
[RANDOM NAME]
with one of the following as extension:
.pif
.scr
.exe
.bat
.cmd
Note: The worm may also send a zip copy of itself. The zipped file will have .doc, .htm, or .txt as the first extension name and .exe, .pif, or .scr as the second extension name.
Connects to the xtg.g3w.org domain on TCP port 36311 and listen for commands that allow the remote attacker to perform the following actions:
Execute files
Download files
Perform other IRC commands determined by the attacker
Restart the compromised computer
Opens an FTP server on TCP port 10099.
Scans for vulnerable computers and tries to exploit the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). It then copies itself to exploited computers via FTP.
Blocks access to several security-related Web sites by appending the following text to the hosts file:
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
===============================================
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
In the right pane, delete the value:
"WINTASK32" = "taskgmrr.exe"
Exit the Registry Editor.
=====================================
|
